giant GDPR notice
Last updated May 2018
GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (the “GDPR”) sets out the principles and requirements that should be followed when processing personal data of any kind.
1. Identification of the Data Controller
This section gives you the details of the legal name of the company who holds your personal information – know as the ‘legal entity’ – and tells you how you can get in touch with us.
giant is made up of a mix of companies, set up in different legal entities. We will confirm the exact legal entity, which you have a relationship with, when you become our employee, client or supplier. You can find out more about us at www.giantgroup.com
2. Contacting us about your data privacy and this GDPR notice
Please use these details to contact us about any of the topics set out in this GDPR notice.
If you are our employee and have any questions, or want more details about how we use your personal information, please submit your question via your online employee portal feedback section.
If you are our client or supplier, please contact directly your usual key contact, such as our Business Development Manager.
If more convenient, you can call us on 0330 024 0946 (+44 330 024 0946) from outside the UK). Lines are open Monday to Friday 9am to 6pm. Calls may be monitored and recorded. Or email us at email@example.com
Alternatively, you can also write to us at our registered office address: giant, 3 Harbour Exchange Square, London E14 9TQ
If you are not satisfied with our response, you can ask for it to be escalated to our Group Data Protection Officer.
3. Purposes and Lawful Basis for Processing of Personal Data
This section sets out the legal reasons we rely on, for each of the ways we may use your personal information.
As well as our privacy promise to you set out in this GDPR notice, your privacy is protected by law. This section explains how that works.
Data Protection law says that we are allowed to use personal information only if we have a proper reason to do so. This includes sharing it outside giant. The law says we must have one or more of these reasons:
- to fulfil a contract we have with you, or
- when it is our legal duty, or
- when it is in our legitimate interest, or
- when you consent to it.
When we have a business or commercial reason of our own to use your information, this is called a ‘legitimate interest’. We will tell you what that is, if we are going to rely on it as the reason for using your data. Even then, it must not unfairly go against your interests.
The law and other regulations treat some types of sensitive personal information as special. This includes information about racial or ethnic origin, sexual orientation, religious beliefs, trade union membership, health data and criminal records. We will not collect or use these types of data without your consent unless the law allows us to do so. If we do, it will only be when it is necessary:
- For reasons of substantial public interest; or
- To establish, exercise or defend legal claims.
4. Sources where Personal Data is Collected from
We may be already or will become aware of your personal data in a number of ways - directly from you, from others and otherwise over time through our relationship with you and may receive and/or retain it in various forms (whether in writing, electronically, verbally or otherwise).
Data we get from you:
- When you apply for and/or use our products or services, including becoming our employee
- When you talk to us on the phone, including recorded calls and notes we make
- When you use our website, mobile device apps, employee or client portals
- In emails and letters
- In satisfaction surveys
- If you take part in our competitions or promotions.
Data we collect when you use our services:
- Details about how and where you access our services; and
- Account activity that is shown in your employee or client /supplier portal (including contact logs and helpdesk query logs).
- Data received from outside of Giant Group:
- Companies that introduce you to us (such as employment agencies, corporates, public bodies.)
- Recruitment consultants
- Agents, suppliers, sub-contractors and advisers
- Our existing employees and clients
- Market researchers (who combine data from many sources to produce market trend reports and advice).
5. Categories of Personal Data
Depending on the relationship we have with you, the personal data we collect is different.
If you become our employee and/or we are processing your payroll, we hold certain personal information about you as part of the general employee and/or payroll records. Our records may include your:
- name, address and contact details;
- date of birth,
- marital status,
- employment application,
- curriculum vitae,
- history with the company,
- job title,
- areas of expertise,
- details of salary (including your payslips and tax forms) and benefits,
- National Insurance number,
- bank details,
- performance appraisals,
- disciplinary records,
- salary reviews,
- records relating to holiday and other leave,
- working time records,
- and other similar and related personal information.
Use of Employee Personal Data
We use this data for a variety of personnel, administration, employee, work and general business management purposes.
For example, we require the data to:
- administer payroll,
- improve and maintain the administration of employee benefits (such as bonuses, pensions, leave entitlements and any employee benefits offered by third parties who we have established a contractual relationship),
- to facilitate the management of work and employees,
- to comply with record keeping and other legal obligations.
We may also process information relating to your health, which may amount to sensitive personal data. The information that we may hold relating to your health is the records of sickness absence and medical certificates (including Self-Certified Sickness Forms and Fit Notes and any medical reports which you have provided). The purpose of keeping this sort of information is to monitor and manage sickness absence and to comply with obligations under Health and Safety legislation and the Disability Discrimination Act 1995.
Clients, Suppliers and Business Contacts
If you are interested in becoming our client or supplier or are an existing client or supplier, we process personal data about business contacts (our existing and potential clients and suppliers and/or individuals associated with them) using a customer relationship management system (the “CRM”). The collection of personal data about contact and the addition of that personal data to the CRM is initiated by our CRM users and will include:
- Employer name
- Contact title
- Other business contact details.
In addition, our CRM may collect data from our emails (sender name, recipient name, date and time) and calendar (organiser name, participant name, date and time of a calendar event) and systems concerning interactions between our CRM users and contacts or third parties.
Use of Client or Supplier Personal Data
Personal data relating to our clients, suppliers and business contacts may be visible to and used by our own employees to learn more about an account, client, supplier or opportunity they have an interest in, and may be used for the following purposes:
- Administering, managing and developing our businesses and services;
- Providing information about us and our range of services;
- Making contact information available to our employees;
- Identifying clients/contacts with similar needs;
- Describing the nature of a contact’s relationship with us;
- Performing analytics, including producing metrics for our leadership, such as on trends, relationship maps, sales intelligence and progress against account business goals.
In addition, our CRM uses an algorithm to evaluate the strength of interactions between our own employees and a contact. This ranging is primarily based on interaction frequency, duration and response time.
We do not sell or otherwise release personal data contained in our CRM to third parties for the purpose of allowing them to market their products and services without consent from individuals to do so.
6. Security and Location
We take the security of all the data we hold very seriously. We adhere to internationally recognised security standards and our information security management system relating to confidential data is independently certified as complying with the requirements of ISO27001. We have a framework of policies, procedures and training in place covering data protection, confidentiality and security and regularly review the appropriateness of the measures we have in place to keep the data we hold secure and systems upgraded in line with legal and technological developments.
All data we collate is stored in a database located in the United Kingdom. The database is administered by a company within our group of companies.
7. Visiting our website and offices
Collection of personal data
We ask that you do not provide sensitive information (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when using our website; if you choose to provide sensitive information to us for any reason, the act of doing so constitutes your explicit consent for us to collect and use that information in the ways described in this notice or as described at the point where you choose to disclose this information.
Links to Other Websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this GDPR notice. You should exercise caution and look at the privacy statement applicable to the website in question.
Visiting our offices
We have security measures in place at our offices, including CCTV and office access controls. There are signs in our office showing that CCTV is in operation. The images captured are securely stored and only accessed on a need to know basis (e.g. to look into an incident). CCTV recordings are typically automatically overwritten after a short period of time unless an issue is identified that requires investigation (such as a theft). We require visitors to our offices to report to receptionist who will co-ordinate with the member of staff who is expecting a visitor.
8. Cookies Policy
A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
9. When and How we Share Personal Data
We will only share personal data with others when we are legally permitted to do so. When we share data with others, we put contractual arrangements and security mechanism in place to protect the data and to comply with our data protection, confidentiality and security standards.
We will need to make personal and sensitive data available to giant for the purposes set out above.
Likewise, we will also need to make this data available to:
- legal and regulatory authorities (such as HMRC);
- accountants, auditors, lawyers and other outside professional advisors;
- companies who provide products and services to us (such as IT systems suppliers, pension scheme or employee benefits providers);
- other outsourcing providers,
- recruitment agencies, corporates or public bodies referring individuals for employment and/or payroll and/or accountancy services with us and/or
- hirers or clients where our employees carry out their assignment.
10. Data Retention Policy
Personal data will be retained by us for as long as it is necessary for the purposes set out above. This depends on whether we have any legal duties and obligations that require us to retain all or some of the personal data collected or for as long as we have, or need to keep a record of a relationship with our client and any particular business contact.
In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services or as an employer is 6 years.
11. Rights of Individuals in Relation to their Personal Data and How to Exercise These Rights
Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights. Where we decide how and why personal data is processed, we are a data controller and include further information about the rights that individuals have and how to exercise them below.
Access to personal data
You have a right of access to personal data held by us as a data controller. This right may be exercised by contacting us on contact details set out above at the start of this GDPR notice. We may charge for a request for access in accordance with applicable law. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits.
Correction of personal data
To update personal data submitted to us, please contact us on contact details set out above at the start of this GDPR notice. Where appropriate, you may be able to update your personal data directly (such as via your personal portal if you have been provided with your login details by us).
Any request to update your personal data is dealt with promptly and at our earliest opportunity.
Withdrawal of consent
Where we process personal data based on consent, individuals have a right to withdraw consent at any time. We do not generally process personal data based on consent (as we can usually rely on another legal basis). To withdraw consent to our processing of your personal data, please contact us on contact details set out above at the start of this GDPR notice or to stop receiving an email from our marketing list, please click on the unsubscribe link in the relevant email received from us.
Other data subject rights
This GDPR notice is intended to provide information about what personal data we collect about you and how it is used. As well as rights of access and amendment referred to above, individuals may have other rights in relation to personal data we hold such as right to erasure/deletion, to restrict or object to our processing of personal data and the right to data portability. If you wish to exercise any of these rights, please contact us on the contact details set out above at the start of this GDPR notice.
Your privacy and our compliance to data protection laws are very important to us and we work hard to ensure you don’t have to feel concerned, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to firstname.lastname@example.org. We will look into and respond to any complaints we receive.
You also have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.